The Nigeria Data Protection Regulation (NDPR), issued by NITDA in 2019, and the Nigeria Data Protection Act (NDPA) 2023, which established the Nigeria Data Protection Commission (NDPC), impose significant data protection obligations on Nigerian organisations. For HR teams, the onboarding process is one of the most data-intensive activities in the organisation — and one of the highest-risk areas for NDPR non-compliance.
Employee onboarding involves collecting some of the most sensitive categories of personal data:
The NDPA requires that all personal data processing has a lawful basis. For employee onboarding, the applicable bases are:
At the point of collecting personal data from a new hire, Nigerian employers must provide a privacy notice (also called a data subject notice) that explains: what data is collected, why it is collected and the lawful basis, how long it will be retained, who it may be shared with, the hire's rights as a data subject, and how to contact the organisation's Data Protection Officer (if appointed).
Crucially, this notice should be delivered before data collection begins — not buried in the employment contract as small print. Onboarding software that delivers the privacy notice as a mandatory first step (with acknowledgement captured) demonstrates NDPR compliance at the point of collection.
The NDPA's data minimisation principle requires that organisations only collect personal data that is directly necessary for the stated purpose. Your onboarding document checklist should not collect every piece of information that might conceivably be useful — it should collect what is needed now, with a documented reason for each data point.
The NDPA requires appropriate technical and organisational security measures for personal data. For onboarding data, this means: encryption of documents at rest and in transit, access controls limiting visibility to authorised HR personnel, secure deletion procedures, and incident response capability if data is breached.
Storing employee documents in an unprotected Google Drive folder or email inbox does not meet NDPA security requirements.
Under the NDPA, personal data should not be kept longer than necessary. For employment records, the practical approach is to align with the relevant limitation period — typically 6 years after employment ends for most records. Some categories (like pre-employment background check results) should be deleted once the employment decision is made.
Nigerian employees have the right to access, correct, and in some circumstances delete their personal data. During onboarding, this means HR should be able to quickly locate and export all data held about a specific employee — not search through multiple email threads and document folders.
The NDPC has conducted audits of Nigerian organisations and issued sanctions for non-compliance. Demonstrating NDPR compliance during an audit requires documentary evidence: privacy notices delivered, lawful basis documented, security measures implemented, and records of processing activities. Onboarding software with an audit trail provides this evidence automatically.
OnboardSwift delivers privacy notices, captures acknowledgements, and maintains an audit trail for every hire. Built for Nigerian compliance.
See Nigeria compliance featuresYes. The NDPA 2023 and NDPR apply to all personal data processing, including employee data. HR is one of the highest-risk areas for NDPR non-compliance given the volume and sensitivity of data collected.
The NDPA provides for fines of up to ₦10 million or 2% of annual gross revenue (whichever is higher) for less serious violations, and up to ₦2 billion or 2% of annual gross revenue for more serious violations. Reputational damage and regulatory scrutiny are additional consequences.
The NDPA requires certain organisations to appoint a DPO — particularly those processing large volumes of personal data or processing sensitive categories. All organisations that process personal data are encouraged to designate a data protection contact.
Documents should be stored in an encrypted, access-controlled system — not in email inboxes or shared drives. OnboardSwift stores all onboarding documents with encryption at rest and in transit, with access restricted to authorised HR personnel.
A compliant privacy notice should cover: what data is collected, the purpose and lawful basis, retention period, third-party sharing, data subject rights (access, correction, deletion), the DPO's contact details, and how to lodge a complaint with the NDPC.
Ready to transform how you onboard?
14-day free trial. No credit card. Live in under 30 minutes.